Malware delivered by Yahoo, Fox, Google ads

Discussion in 'malware problems & news' started by ronjor, Mar 22, 2010.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Article
     
  2. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,198
    Location:
    Surrey, England.
    Serious and ongoing problem, plus the seemingly exponential increase in, and
    general tolerance/acceptance of advertising, indicate this is hard to eradicate.
    I feel the best most of us can do is use plenty of effective ad and script-blocking software, surf responsibly, and stay informed.
     
  3. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    and stay sandboxed also.
    those names are not to trust,,and don't forget to eliminate toolbars.
     
  4. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I like the slogan from the PC Firewall Guide: "The Internet is a hostile network like the wild west without a sheriff!"
     
  5. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    Right now there are many sites who have been affected by the recent OpenX Ad server hacks. Those servers are now feeding malware to site visitors on a wide range of sites.

    You can find a lot more details at http://stopmalvertising.com/

    Some sites have responded quickly to this recent attack, other companies like Henley Media have still not taken down their OpenX malware server after it was reported to them days ago, and they are still infecting people.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I checked some of the domains listed in stopmalvertising.com and the exploit packs serve up the usual stuff:


    1) exploits against IE

    stats-1.gif

    I notice the person at stopmalvertising.com checking these domains uses the old tried and true ProcessGuard
    to snag these remote code execution exploits. Go ProcessGuard!

    More domains pushing malware through OpenX Ad Server Exploit
    http://stopmalvertising.com/malvert...shing-malware-through-openx-ad-server-exploit

    The only reason this exploit code runs is that Javascript is required, and Scripting is enabled on my IE. From the code:

    Code:
    script>
    function JR34_5cK(BPQE8HKp5Al, NR_h8y_5U___1x)
    ....
    
    2) Adobe PDF exploits against any browser

    The PDF file loaded but the exploit code did not trigger anything against my version of the Acrobat Reader.
    Wepawet shows the exploit to be an old one from 2007:

    Code:
    Adobe Collab overflow	Multiple Adobe Reader and Acrobat buffer overflows	CVE-2007-5659
    The only reason the PDF file loaded is because I had scripting and plugins enabled to test.

    stats-pdf.gif

    Using Opera with scripting enabled per site nullifies the exploit because it is a redirect via i-frame, as the stopmalvertising.com analysis shows.

    This means that even if I have scripting enabled on a legitimate site that serves up the malicious advertisement, the cybercriminal's site to which I'm redirected will not, of course, have scripting enabled. Hence, no exploit runs.

    stats-2.gif

    Another requirement for the PDF exploit to work is that plugins must be enabled for the PDF file to load into the browser window. Otherwise, you get a download prompt,as I do here when I access that domain again, this time with Plugins disabled and the browser configured to prompt, thus exposing the trick:

    stats-3.gif

    By the way, the trojan JS: Prontexi mentioned in the cnet.com article was discussed here last month:

    Ads poisoning – JS: Prontexi
    https://www.wilderssecurity.com/showthread.php?t=265818

    Of course, malvertising goes back even further, if you've followed Sandi Hardmier's blogs at spywaresucks.com

    http://msmvps.com/blogs/spywaresucks/archive/tags/Malvertizing/default.aspx

    so there is really nothing new here.

    ----
    rich
     
    Last edited: Mar 23, 2010
Loading...
Thread Status:
Not open for further replies.